The Cybersecurity and Infrastructure Security Agency (CISA) warned of the presence of several security vulnerabilities in Boston Scientific’s Zoom Latitude Programmer/Recorder/Monitor (PRM) Model 3120 equipment deployed globally across the healthcare and public health sectors. These security loopholes include the use of password hash with insufficient computational effort, missing protection against hardware reverse engineering using integrated circuit (IC) imaging techniques, improper access control, missing support for integrity check, and reliance on software components that cannot be updated.
The exploitation of these vulnerabilities may allow an attacker with physical access to the affected device to obtain patient-protected health information (PHI), and/or compromise the integrity of the device, CISA said in its ICS Medical Advisory. The affected device is not network connected and does not contain hardware to be network connected.
CISA noted that these issues were discovered by Endres Puschner – Max Planck Institute for Security and Privacy, Bochum, Christoph Saatjohann – FH Münster University of Applied Sciences, Christian Dresen – FH Münster University of Applied Sciences, and Markus Willing – University of Muenster, as part of broader academic research of cardiac devices and reported them to Boston Scientific.
The Zoom Latitude PRM Model 3120 equipment consists of portable cardiac rhythm management systems, which are used to communicate with implanted pacemakers and defibrillators.
An attacker with physical access to the Zoom Latitude Model 3120 equipment can remove the hard disk drive or create a specially crafted USB to extract the password hash for brute force reverse engineering of the system password, CISA warned. In addition, a hacker with physical access to the device can extract the binary that checks for the hardware key and reverse engineer it, which could be used to create a physical duplicate of a valid hardware key. The hardware key allows access to special settings when inserted.
CISA also detected that a skilled attacker with physical access to the Zoom Latitude equipment can gain access to the hard disk drive of the device to change the telemetry region and could use this setting to interrogate or program an implantable device in any region in the world. Besides, the programmer installation utility does not perform cryptographic authenticity or integrity checks of the software on the flash drive. An attacker could leverage this weakness to install unauthorized software using a specially crafted USB.
The Zoom Latitude equipment also uses off-the-shelf software components that contain unpatched vulnerabilities. A malicious attacker with physical access to the affected device could exploit these vulnerabilities.
The CISA advisory said that Boston Scientific is in the process of transitioning all users to the Latitude Programming System Model 3300, which will act as a replacement programmer with enhanced security. Boston Scientific will not issue a product update to address the identified vulnerabilities in the Zoom Latitude Model 3120.
To reduce the risk of exploitation, Boston Scientific recommends those still utilizing the Zoom Latitude PRM Model 3120 implement control access to the device and ensure all access is properly inventoried, maintain the device in a secure or locked location when not in use, and remove PHI prior to retiring or removing the device from the facility. Instructions for removing PHI are outlined in the operator’s manual. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
In October 2017, CISA had issued an advisory on the detection of two vulnerabilities in Boston Scientific Zoom Latitude Model 3120. The vulnerabilities were not remotely exploitable and require physical access, which can be hacked into by an attacker with low skill. The security agency identified that exploitation of these vulnerabilities may allow an attacker with physical access to obtain PHI.
Several security vulnerabilities were also identified in July in Philips Vue PACS equipment deployed globally in the healthcare and public health sectors. These vulnerabilities can be exploited remotely and allow an unauthorized person or process to eavesdrop, view or modify data, gain system access, perform code execution, install unauthorized software, or affect system data integrity, negatively impacting the confidentiality, integrity, or availability of the system.